Post navigation

Men without hats are living on the edge

Men without hats are living on the edge

How to solve the Clash between ethics, personal integrity, “the system” and hacking? A special post for the holiday season.

By Eh’den (Uri) Biber CISA/CISM/CISSP/CRISC, member of the Neuroleadership institute.

Should a hacker ever give up his values and belief system, and if so, when? This blog is about the clash of personal belief with reality, and why a newly defined international standard can help us reach a more universal definition of what is good and what is bad.

About a month and a half ago a gambling company located in Gibraltar contacted me. They found my CV on monster, they saw I was interested in a new role (still do) and so they asked me if I want to work for them. When I told my friends and family about it had brought upon me a rain of criticism from some of them who said to me “You? Work for the gambling industry? How can you work in such unethical place?”, and this brings me to the subject of this blog is – the explosive subject of ethics, moral, and universal truth.

Fast Forward

Watching the movie “The Ides of March” felt like watching a fast forward of my life as an IT professional. In the movie Ryan Gosling plays the role of the main character – a young man by the name of Stephen who is an idealistic staffer for a presidential candidate that gets a crash course on dirty politics during the campaign. The movie was directed by George Clooney and included amazing support actors such as Philip Seymour Hoffman, Paul Giamatti, Evan Rachel Wood and Marisa Tomei.

(The title of the movie “Ides of March” is based on the fact that the 15th of March was a day of festive day dedicated to the god Mars, and also the day that Julius Caesar was murdered, in 44 B.C. )

A lot of us start our career being very idealistic, which gives us a wonderful power – it motivates us to do more than others, it helps us make a bigger effort as we see the target in front of your eyes. We believe, and belief systems are what makes our perception feels the universe around us makes sense. Yet when reality comes crashing down on us, it is painful. The subject of losing your innocence during your professional life is something that is rarely being discussed openly during working hours by people. Sure, some people will find other people to share their disagreement with “the system”, but when we are being forced to do something which stand totally against either our professional or personal principles it leads to different reaction. Giving up our “core values” causes a range of reactions: Some will claim that what they did didn’t contradict their moral stand, and by doing so act like a rape victim that hides the trauma deep within their subconscious. Some will try to minimize it, others only talk about such events with very close friends, and some will not even talk about it at all. Most people rarely talk about this; the same way alcoholics do not feel that happy to talk about the fact that they are killing themselves.

Young and Naïve

When I moved to Brussels with my family at 2001, I was extremely happy. After managing the IT of a big pharmaceutical company I was offered a promotion – a position in Brussels, in the EMEA (Europe, Middle East and Africa) regional headquarter, doing a job I always wanted to do – coordinating various security and partner connectivity requests in our region. The role of my colleague and me was to help the business establish secure information exchange with various partners in the region. At least once a month we had a meeting with the people who were coordinating the activities on the other side of the ocean, at the headquarters which was located in US. One of my colleagues, an extremely smart guy by the name of Larry who worked in the field for many years had a sentence that he used to say from time to time, and I must admit that when he said it I sometimes got upset. The sentence was “ah…Uri, he’s so young and naïve”.

Larry said it because we used to get a lot of business requests for connecting our company to other companies (or vice versa), and sometimes I used to get a business request that made me feel as if someone is asking me to sell my little daughter. Let me think of one… OK, here’s an example, but please remember it is really not a real one (I hope LOL): “We wish to establish automated FTP to transfer information during a clinical trial. We need it by next week; can you please approve it ASAP so we could tell the network guys to implement it?”. As I was reading it, I was adding in my mind the missing parts in the request: “We wish to establish (insecure) automated FTP to transfer (of sensitive patient personal) information during a clinical trial. We need it next week; can you please approve it ASAP?”

This was usually the point in which I used to call the business unit that requested it, and explain to the person who sent me the request that we have a process in place that could give him a much more secure alternative. Most of the time the conversation worked, but sometimes I used to meet with very dedicated people who didn’t really give a $!@# about information security, and they wanted things to be done “their way”. Obviously I was unable to approve it…and obviously it ended up with that person complaining to his management (usually a VP) that “the IT security people are trying to destroy our clinical trials”. The fact that if that information had been leaked our whole company could have been facing a huge legal action was something most of them forgot to mention. This was usually the time when my refusal to give up security caused my manager to get involved (and give Larry reasons to mention again my naïveness).

I was extremely fortunate that my senior director, the person who was in charge of the IT operations in EMEA was a rare leader who gained a lot of respect by his professionalism. He backed us, even when we made mistakes he still backed us (but made sure we will learn from it), and having a manager who will fight for you is not an obvious thing. While I was fortunate to have such a managers in that company and others, some other managers I had were known for not providing the required back to the people who work for them, and when this happened, it brought a dilemma:

Should I stay or should I go?

At some point of your life as information security expert you’re going to feel like Stephen Meyers, the hero of the movie “The Ides of March”. You come to work with a clean ideological view of the security, and you than you meet reality, or the politics of business. That’s part of the game, and no matter how much other people tell you about it and warn you from it you will not understand it until you, yourself, will be required to make a decision – will you give them what they want (and by doing so do not follow your personal ethical standards), or will you move on?

I call it the coin point – you are given a coin, and you are being requested to make a decision which side to choose.

The first one side says “give them what they want” even though it stand against your professional or personal values. Some people say “I don’t care, it’s their own darn problem if something goes wrong”, which always reminds me a play called “Rhinocéros” that was written in 1959 by Eugène Ionesco. It’s a play about how people prefer to become part of the herd just so they will not need to face any moral dilemmas. So yes, you can choose to do so, but it comes with a cost of losing yourself. Some people give up on their moral stand because they understand that if they don’t you will not work there anymore, and leaving “a system” is a painful experience. At the beginning people tell themselves it’s the last time they will do so, but at the end of the day, when you give up your professional or personal values you position yourself at the same spot any beaten wife do when she (or he) tell herself (or himself) that it’s the last time they will do it. When you do it long enough the end result is that you will become part of the system.

The other side of the coin says “leave”. Now that’s a hard one – if you leave it means you give up, and hackers are not really known for giving up that easily. I don’t mean when someone leaves because he is getting a better offer somewhere else, or because of reorganization – I mean to leave because you felt the working place was not matching your professional or personal integrity. It did happen to me, twice in my life, and while it brought some unbalance to my financial state I think they were necessary steps during my personal development. I think when you’re younger it is easier to do so because either you don’t understand that this game is occurring everywhere, and also because when you’re young the consequences are usually much less problematic (“Hey mom/dad, I just quit my job – can I move back to your place for a while?”). And sure, sometimes leaving is not really an option:

Living on the Edge

This brings us to the last option. Each and every coin has an edge, and everyone knows how to spin a coin – you make it stand on the edge and by providing a burst of energy targeted at of its sides you can make it spin. Now spinning coins are amazing – they are shinning, they are fast, but also they are very vulnerable (and people do take advantage of this state of yours). You cannot spin forever, and any disturbance to the coin by unbalancing the surface it is turning on or trying to touch it will automatically make it fall on a side. So yes, there is a third option to a professional and personal dilemma – you can spin. You can choose not to choose, and try to pass the storm, but you can only do it for a short period of time, and only if you’re balanced enough (physically, mentally, emotionally and professionally). Most of the time, you risk falling on a side without any prior warning (and with or without people who will be “helping” you fall).

Back to Hack

The subject of breaking down ones’ innocence is a great theme for movies and a repeated pattern throughout the lives of most of us, but for hackers such event is usually very visible and most of the time carry very high personal penalty, regardless if they are inside the system or challenge it from outside. This was the subject of (yet another) movie called “Hackers wanted – director cut”. The movie was never released, and only been unofficially leaked to the internet last year (2010 – get the director’s cut which runs for 1:10:40). Directed and written by Sam Bozzo and narrated by Kevin Spacey, it explored the origins and nature of hackers and hacking by following the adventures of the hacker Adrian Lamo, and contrasting his story with that of controversial figures throughout history. To those who don’t know Lamo is, he is the guy the broke in 2002 to the New York Times, Yahoo, and Microsoft just for the sake of breaking in and showing their security failures. He is now hiding for fear of his life, after he turned in Bradley Manning that leaked hundreds of thousands of sensitive U.S. government documents to wikileaks. Kevin Mitnick, Captain Crunch, GeoHot and Lamo paid for their curiosity. Kevin Mitnick was thrown to federal prison for 4 years without trial (out of which 8 months in solitary confinement). Captain Crunch was beaten up by the mafia for refusing to tell them how he phreaked the telephone system and then when he was thrown into prison he was stabbed, causing him physical damage. GeoHot almost got into prison and was forced to commit to never hack any Sony system anymore after exposing the encryption keys of the PS3. And finally, in 2004 Lamo was sentenced to six months detention at his parents’ home plus two year probation, and was ordered to pay roughly $65,000 in restitution.

The examples above were just a hint of many examples I am aware of. On the one hand, organizations, governments, political and ideological groups use hackers all the time either to provide them protection or turn their knowledge into a modern electronic warfare human weapon. On the other hand, the same groups fear anyone who is hacking for what seems to those groups to be against their causes, and those people are being treated harshly and many times merciless. On the one hand, hackers are there to challenge the system, on the other hand the system they operate within can be viewed as a repeated process (true for any organization, if business, NGO or government) and due to the wish to optimize that process most organizations don’t like (hate?) changes and challenges. The end result, in many times, is a Clash…

Ethics 101

This brings me to the reason I wrote this blog – the subject of ethics and hacking. Let’s start with a little Wikipedia:

How can you tell if you’re doing the right thing, ethically? After all, we all come from different cultures and one culture’s perception of good sometimes is viewed by other cultures as “bad”. What one people believe in might seems like a blasphemy to a big group of other people. Our world is diverse, so is our perception of it, and so are the ethics we “choose”. Ethical code is something very profound in humanity, something we all carry. The problem with ethical codes are that they usually a direct result of the environment they were created in, and are as such very subjective. Al-Qaeda have an ethical code which is based on Islam, the Mafia in various countries have a different ethical code (for example Italian mafia ethics are not the same as the Japanese Yakuza ethics). The western world has a Judeo-Christian ethical code, and this can go on forever. We look at the others and measure their values via our own perception, via our own ethical framework, and because the ethical language is different we sometimes see the others as morally wrong.

The clash between different ethical views can lead to horrible results. Take for example a middle aged Egyptian school inspector who came to the US in 1949 to learn about it’s education system. His name was Sayed Kutb, and his view of the ethical and moral view of the US influenced all of us. Kutb saw the American society as causing Americans to become isolated beings, driven by primitive animal forces. His belief system made him join the Muslim brotherhood in Egypt when his return to Egypt and he became one of the movement leaders. He was arrested after Nasser came into power, and was tortured by Egyptians who were trained by the CIA. This led him to become even more extreme in his views, and to see “selfish Individualism” as the root of all evil. One of his students was Ayman Zawahiri, the idiological leader of Al-Queda (You can watch Adam Curtis TV series “The Power of Nightmares” to learn more). Human history is filled with clashes between different groups with different ethical views.

The clash of ethics re-emerges in workplace, and sometimes you see one system (the country) and it’s regulations in clash with the ethical behavior of another system – a company. A good example to such ethical clash is Apple, who has a headquarter in the US and would never dare to demand from its employees to work under the same conditions the employees of its’ contractors work under. More about this soon.

Men Without Hats

When it comes to hacking we hear the word ethics endlessly. We have white hat, grey hat and black hat, and we define those terms based on the system they relate to – and I do not mean the technological system.

“grey hat” refers to a skilled hacker whose activities fall somewhere between white and black hat hackers on a variety of spectra. It may relate to whether they sometimes arguably act illegally, though in good will, or to show how they disclose vulnerabilities. They usually do not hack for personal gain or have malicious intentions, but may be prepared to technically commit crimes during the course of their technological exploits in order to achieve better security. Whereas white hat hackers will tend to advise companies of security exploits quietly, grey hat hackers are prone to “advise the hacker community as well as the vendors and then watch the fallout”.

So in a broad sense, the definition of what hat you wear as a hacker really depend on the environment you operate in, or the system you operate from within. If you are hired by a company to find their vulnerabilities and to report to them on your findings – you’re a good guy. If you try to figure out by yourself different vulnerabilities – you’re might be considered as a suspicious dude. and if you’re writing code which has malicious intent – well, watch out.

But I think the idea of “hats” is sort of pointless. If you develop a code for a government that later use it as an offense against another government (or, one system against another) you’re not considered as a “black hat”. if you discover a vulnerability in a security product and your organization/government/system use it as an offense to learn about the weakness of another organization/government/system is it unethical? Not all the time – especially if the organization you’re targeting is a terrorist organization, or the government is a government that torture and kill it’s civilians just because they are gay, or wish to have a democratic election.

Chris MacDonald, Ph.D., is an educator, speaker, and consultant in the realm of business ethics. In a recent blog entitled “What’s Legal Isn’t Always Ethical” he explained that In all legitimate cases of law making, the law always has a moral purpose — generally, either to make people’s lives better and safer (e.g., seatbelt laws) or to protect some important right (e.g., food-labelling laws). But if everything which was legal was ethical, than there would be no possibility of finding a moral rationale for any new law.

So not only everything that is legal is always ethical, but also the opposite – not everything that is illegal is also unethical, or as Chris MacDonald said it: “Anyone who tells you, or simply implies, that whatever is legal is also ethical is most likely indulging in self-serving rationalizations.“. This begs the question – how can you know what is ethical?

ISO 26000

As I wrote in the beginning of this blog, a new international standard might be able to provide us a much more objective and universal definition of what is good and what is bad. Last year a new ISO standard was approved. It is called ISO 26000, and it’s a standard for social responsibility. If you want to read the essentials of it, you can do so here.

The work on the standard begun in 2005, and it was created because countries around the world agreed that humanity need to ensure healthy ecosystems, social equity and good organizational governance. This International Standard was developed using a multi-stakeholder approach involving experts from more than 90 countries and 40 international or broadly-based regional organizations involved in different aspects of social responsibility. These experts were from six different stakeholder groups: consumers; government; industry; labour; non-governmental organizations (NGOs); and service, support, research, academics and others. In addition, specific provision was made to achieve a balance between developing and developed countries as well as a gender balance in drafting groups. The standard was approved with 94% of the countries supporting it (66 in total), and only 6% of countries have rejected it (5 in total – Cuba, India, Turkey Luxembourg and of totally (un)surprisingly, the USA).

A little bit about the standard. It covers 7 core subjects:

Organization Governance

human rights

Labour practices

The environment

Fair operating practices

Consumer issues

Community involvement and development

For all of those core subjects, social responsibility is defined as a responsibility of an organization for the impacts of its decisions and activities on society and the environment, through transparent and ethical behaviour that:

Contributes to sustainable development, including health and the welfare of society;

Takes into account the expectations of stakeholders (This means also customers, employees and the community which you operate in, not only shareholders)

Is in compliance with applicable law and consistent with international norms of behavior; and

Is integrated throughout the organization and practiced in its relationships

Last but not least, when it comes to ethics, the standard state that an organization’s behavior should be based on the values of honesty, equity and integrity.

Here is a schematic overview of the standard:

The European Union via the European commission is already taking the standard seriously via a communication entitled “A Renewed EU Strategy 2011-14 for Corporate Social Responsibility“. If you want to understand why the US was against it, you can read the heritage foundation view on the subject, who were alarmed to see a statement such as “The Commission intends to… monitor the commitments made by European enterprises with more than 1.000 employees to take account of internationally recognised CSR principles and guidelines, and take account of the ISO 26000 Guidance Standard on Social Responsibility in its own operations” in the document.

You can leave your hat on

I love ISO 26000 because it brings a new factor to our work in information security. It is an internationally agreed upon standard, which expand the range of responsibility of each and every one of us from being required to comply with one system into being required to look at the broad implications of our operations. Here is an example: If you are faced with an angry director who is trying to force you to implement a crappy security just because he think it’s a good idea to release an insecure system, you can look in the standard and see whether a security breach of that system could lead to ISO 26000 violations. After all, the standard talks about the fact that organizations that provide products and services to consumers (as well as other customers), have responsibilities to those consumers and customers. The standard also mentions specifically that organizations that collect or handle personal information have a responsibility to protect the security of such information and the privacy of consumers. If the system might leak customer information, it will make you ISO 26000 non-compliant. Or if the security of the system that you design might end up with a risk that the system will cause an environmental damage, it will be (again) a violation of the ISO 26000 standard. So IMHO I feel we can finally say we have a way to define what is good and what is bad, at least when it comes to a workplace because it expand the responsibility of the organization from only the shareholders to the stakeholders.

The standard also put more pressure on organizations because now, if they will be hacked, and they were not transparent, violation of ISO 26000 might result in financial implications in an international scale. In the near future you will not be able to be in the supply chain of big manufacturers if evidence will be provided that you violate the ISO 26000 standard.

And finally – if you work for the mafia, or for any other organization that does not take into account any of the core objectives of the ISO standard – congratulations – now you’re defined internationally as a member of organization that is operating against humanity, including in your own country. You can leave your hat on – but if you are a real hacker you should also hack yourself and see whether you are a socially responsible hacker.

4 thoughts on “Men without hats are living on the edge”

01) Many of the people who are called “hackers” are extremely skilled people who practiced only one aspect of their brain, and yet do not show the same flexibility in other fields. This created a distorted view of reality (AKA perception). A real hacker is someone that will challenge everything, including himself. Leonardo De-Vinci was a true master hacker. a real hacker constantly challenge his perception of the world and himself. Hacking perception is the secret to greatness because it allows true thinking outside the box.
02) Hackers that work within a system to secure it are more likely to experience clashes with “the system” they operate in because they “disturb” the repeated process(es) the system is build upon.
03) Most hackers are not skilled enough to be in the state of spinning, and the result is they either “give in” to the system or leave. To be good in spinning you need to be balanced, and for that you need to be able to challenge everything, as when you spin your perception is being distorted. Most people don’t even come close to it (a lot of the time due to various neurological and physiological reasons). This is one of the reasons security fails, as people learn not to challenge everything in a critical thinking manner.
04) ISO 26000 is probably the most important ISO standard that came in the last few years, and for sure it is going to be the most important in the upcoming years. Yes – also to us in information security.
05) Ethics: Ethics are based on the system you operate in.
06) “Ethical hacking” until now only talk about one aspect of ethics – the organization which is being “hacked”.
07) “Ethical hacking” should be discussed in the wider sense of the word, from a social responsibility standpoint which takes into account all the stakeholders of “a system” and it’s interaction with other systems.
08) I believe hackers should be defined based on their social responsibility, not based on criteria defined by systems who only view it via the shareholders perspective and not the stakeholders perspective (and by systems I mean the full range – from corporations to governments). If a corporation, an NGO or a government is acting in a way which are anything but social responsible, I believe it looses the ethical standpoint to define what is right and what is wrong.
09) Since our ethics and our perception is a result of our environment, I see ISO 26000 as the great opportunity for hackers to expand their very targeted mind and perception. Humanity have agreed that social responsibility is the only way forward, it’s a wonderful opportunity for hackers to tap into that movement, get involved and put their skills into that direction. Hacking can and should be a force of good, by making this world a better place.
10) last, but not least – I highly recommend reading Sir Richard Bransons’ new book “Screw Business As Usual“. The faster organizations and people will understand that the current view of doing things must change, the more likely it would be for humanity to reach a better future (rather then a very unhappy end).

Adding a comment I received via linkedin, and my reply
George Abney • Integrity cannot be administered by a policy. It can only come from a sense of personal honor. Hacking is the conduct of a thief. There is no honor among thieves; even thieves who carry a badge. Hackers who work for police agencies are cops by convenience. They are criminals in essence yet to be documented. Universalize you conscience all you want… When conscience is little more than a vain fiction why are you sensitive about the concern of others that you have a wicked heart and cannot be trusted? Its conceit at the core of any effort to secure public perception against the reflex of a pirate. You WANT to be the kind of criminal who is envied. So, why pretend otherwise? RUN while you’re young enough to have fun running because the day will come when you will slow down and stop. THAT is when they will catch you and cut out your black heart and feed it to you.

Uri Biber •
Hi George
I find your comment very interesting, mainly because you have a vision of the world in which hackers as a bunch of heartless, ethic-less, wicked heart, black heart criminals that can never be trusted. Seriously man? Is Steve Wozniak a heartless, ethicless criminal? You do know Steve is a very proud hacker, and so does many people I am familiar who have very ethical view of the world. law does no define what is ethical or not, because if that was true every dictatorship regime would have been ethical. About ethics and law – please see Chris MacDonald comment about the subject.
Cheers
Uri the hacker (lol)

George Abney • Hey, man… I’m cool. The hacky-sac can only spin when its pitched, right? Life is filled with many excellent examples of science that would not exist without a black beginning. Web design arose most swiftly in the sticky hands of porn merchants. Burn and drown data most useful today first presented in Nazi camps under the crazed research of wacko docs. As to the ethics of ICON Woz…i must bow out. The cutting edge of any security environment is first challenged by those who dare. Evolution then happens. So, hackers provide a function necessary to innovation… Would you agree?

Uri Biber •
George, do you really see anything which is “outside the box” as black, and everything inside the box as white?
I’ve mentioned in my blog, the reason why organizations are “so anal” is because they are process oriented, and managers inside of it always view anything which “unbalance” the process as negative. That is a very linear thinking, but it’s not really effective in chaotic systems (which we all live within even though many prefer not to admit it).

The porn industry indeed was very fast in accepting web technological initiatives because it was never had the constrains big corporations had, but for example when it came to HD standards it took them a lot of time until they chosen the HD DVD standard (obviously bad choice lol).

Brining the Nazi scientists in concentration camps is an example of immoral people, in their case they didn’t passed the law because for the Nazi Jewish prisoners were not considered as having human rights rights at all. Maybe a better example is the US:

A commission investigating U.S. medical testing on unsuspecting Guatemalan subjects in the 1940s has reported that more than 1,300 people were intentionally infected with venereal diseases, and an estimated 83 died as treatment was withheld. The commission was established by President Obama after Susan Reverby, a professor at Wellesley College, discovered archival documents exposing the project in 2010.

The last two examples were of people who were doing immoral experiments. However, I think that in the IT world you do not need to be immoral in order to experiment. hacking into a system and discovering it’s weaknesses might be illegal, but if you don’t do anything with that information other than alert the organization and later on the media why would you be immoral?

So yes, I totally agree hackers are required for innovation, but what I wanted to say in my blog is that the “line” between illegal and legal should be defined by the level of social responsibility of all stakeholders – organizations, workers, customers, suppliers…and hackers 🙂
George Abney • No…the black and white is all a shade of gray, but the problem for many is they get drawn into that gray and become confused about what they are doing with what they learn. It is the duty of all men of honor to present examples of good citizenship…
While is fair to do good job of probe the wall of jail/bank as contractor of security organization…is not so good to be magician to prove can do trick. Is like picking pocket and then returning wallet to enraged stranger, yes? What courtesy in this? Some disrespetful person may first take a dollar for good trick before leaving wallet on cafe table for waiter to find, eh? It becomes can of worms and for what…to prove can do trick? Complication… so should be done in way that is clearly good. I think this is what you mean… It is no easy skill to test parameters without drawing lightening strike to basic friendly gesture of good will? I should not have mentioned the Znasties but only as example of strong emotions and for good reason … can good come from bad?

My vision? It is like that of any old man… I need the glasses and i try not to make same mistake twice or a thousand times too many.

Yes… I agree with you Uri, these are difficult issues and this is illustrated by the fact they are not easy to talk about without becoming very emotional because they draw strong reaction and seem to polarize opinion so easily. I am not very clear on the important areas of probable dispute since I am almost an illiterate about all things code. I am not a hacker, nor do I know any hackers… yet the issue of privacy are important to me as much as the freedoms of speech. I am sure there are many viewpoints I can learn from… I have no doubt that your blog provides education value for those drawn to the lines of public discourse and I can see it must draw the interests of new students and old. Because I am ignorant of the fine points of this skill I cannot contribute more than as I have. So, i wish you all the best in the hard thing of education for good cause… I help get the ball rolling, maybe? Good luck and may no one who reads here have cause to ‘fall off the edge’! I too walked the cliff when I was young and full of fun.

Uri Biber • Thank you George, your contribution was impeccable, and I really enjoyed our conversation. Happy, white holidays and may 2012 bring light into your life.
Best regards
Uri